External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-04-26 07:04:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix labelling of shared/readonly devices (Dan Walsh)

Browse Source
This commit is contained in:
Daniel P. Berrange 2009-03-17 11:35:40 +00:00
parent df59fdce06
commit c86afc85ee
4 changed files with 52 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@ -1,3 +1,11 @@
Tue Mar 17 11:35:58 GMT 2009 Daniel P. Berrange <berrange@redhat.com>
Fix labelling of shared/readonly devices (Dan Walsh)
* src/qemu_driver.c, src/security.h: Disk label commands
take virDomainDiskDefPtr instead of virDomainDefPtr
* src/security_selinux.c: Do not relabel shared or readonly
disk images with MCS label.
Tue Mar 17 11:58:58 CET 2009 Daniel Veillard <veillard@redhat.com> Tue Mar 17 11:58:58 CET 2009 Daniel Veillard <veillard@redhat.com>
* src/remote_internal.c: remove file descriptors leak * src/remote_internal.c: remove file descriptors leak

4
src/qemu_driver.c
View File

@ -3766,7 +3766,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
goto cleanup; goto cleanup;
} }
if (driver->securityDriver) if (driver->securityDriver)
driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev); driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk);
break; break;
default: default:
@ -3902,7 +3902,7 @@ static int qemudDomainDetachDevice(virDomainPtr dom,
dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) { dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) {
ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev); ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev);
if (driver->securityDriver) if (driver->securityDriver)
driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev); driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, dev->data.disk);
} }
else else
qemudReportError(dom->conn, dom, NULL, VIR_ERR_NO_SUPPORT, qemudReportError(dom->conn, dom, NULL, VIR_ERR_NO_SUPPORT,

5
src/security.h
View File

@ -32,11 +32,10 @@ typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void);
typedef int (*virSecurityDriverOpen) (virConnectPtr conn, typedef int (*virSecurityDriverOpen) (virConnectPtr conn,
virSecurityDriverPtr drv); virSecurityDriverPtr drv);
typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn, typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn,
virDomainObjPtr vm, virDomainDiskDefPtr disk);
virDomainDeviceDefPtr dev);
typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn, typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn,
virDomainObjPtr vm, virDomainObjPtr vm,
virDomainDeviceDefPtr dev); virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn, typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn,
virDomainObjPtr sec); virDomainObjPtr sec);
typedef int (*virSecurityDomainGetLabel) (virConnectPtr conn, typedef int (*virSecurityDomainGetLabel) (virConnectPtr conn,

62
src/security_selinux.c
View File

@ -269,7 +269,7 @@ SELinuxGetSecurityLabel(virConnectPtr conn,
} }
static int static int
SELinuxSetFilecon(virConnectPtr conn, char *path, char *tcon) SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
{ {
char ebuf[1024]; char ebuf[1024];
@ -288,28 +288,51 @@ SELinuxSetFilecon(virConnectPtr conn, char *path, char *tcon)
static int static int
SELinuxRestoreSecurityImageLabel(virConnectPtr conn, SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
virDomainObjPtr vm, virDomainDiskDefPtr disk)
virDomainDeviceDefPtr dev)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; struct stat buf;
security_context_t fcon = NULL;
int rc = -1;
char *newpath = NULL;
const char *path = disk->src;
if (secdef->imagelabel) { if (disk->readonly || disk->shared)
return SELinuxSetFilecon(conn, dev->data.disk->src, default_image_context); return 0;
if (lstat(path, &buf) != 0)
return -1;
if (S_ISLNK(buf.st_mode)) {
if (VIR_ALLOC_N(newpath, buf.st_size + 1) < 0)
return -1;
if (readlink(path, newpath, buf.st_size) < 0)
goto err;
path = newpath;
if (stat(path, &buf) != 0)
goto err;
} }
return 0;
if (matchpathcon(path, buf.st_mode, &fcon) == 0) {
rc = SELinuxSetFilecon(conn, path, fcon);
}
err:
VIR_FREE(fcon);
VIR_FREE(newpath);
return rc;
} }
static int static int
SELinuxSetSecurityImageLabel(virConnectPtr conn, SELinuxSetSecurityImageLabel(virConnectPtr conn,
virDomainObjPtr vm, virDomainObjPtr vm,
virDomainDeviceDefPtr dev) virDomainDiskDefPtr disk)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
if (secdef->imagelabel) { if (secdef->imagelabel)
return SELinuxSetFilecon(conn, dev->data.disk->src, secdef->imagelabel); return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
}
return 0; return 0;
} }
@ -322,7 +345,7 @@ SELinuxRestoreSecurityLabel(virConnectPtr conn,
int rc = 0; int rc = 0;
if (secdef->imagelabel) { if (secdef->imagelabel) {
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < vm->def->ndisks ; i++) {
if (SELinuxSetFilecon(conn, vm->def->disks[i]->src, default_image_context) < 0) if (SELinuxRestoreSecurityImageLabel(conn, vm->def->disks[i]) < 0)
rc = -1; rc = -1;
} }
VIR_FREE(secdef->model); VIR_FREE(secdef->model);
@ -368,16 +391,11 @@ SELinuxSetSecurityLabel(virConnectPtr conn,
if (secdef->imagelabel) { if (secdef->imagelabel) {
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < vm->def->ndisks ; i++) {
if(setfilecon(vm->def->disks[i]->src, secdef->imagelabel) < 0) { if (vm->def->disks[i]->readonly ||
virSecurityReportError(conn, VIR_ERR_ERROR, vm->def->disks[i]->shared) continue;
_("%s: unable to set security context "
"'\%s\' on %s: %s."), __func__, if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
secdef->imagelabel, return -1;
vm->def->disks[i]->src,
virStrerror(errno, ebuf, sizeof ebuf));
if (security_getenforce() == 1)
return -1;
}
} }
} }